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Abstract. In ear her work, the Abstract State Machine Thesis — that arbitrary algo- 
rithms are behaviorally equivalent to abstract state machines — was established for sev- 
eral classes of algorithms, including ordinary, interactive, small-step algorithms. This was 
accomplished on the basis of axiomatizations of these classes of algorithms. In a compan- 
ion paper [S] the axiomatisation was extended to cover interactive small-step algorithms 
that are not necessarily ordinary. This means that the algorithms (1) can complete a step 
without necessarily waiting for replies to all queries from that step and (2) can use not 
only the environment's replies but also the order in which the replies were received. In 
order to prove the thesis for algorithms of this generality, we extend here the definition of 
abstract state machines to incorporate explicit attention to the relative timing of replies 
and to the possible absence of replies. We prove the characterization theorem for extended 
ASMs with respect to general algorithms as axiomatised in [5]. 
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1. Introduction 

Traditional models of computation, like the venerable Turing machine, are, despite the 
Church- Turing thesis, rather distant intuitively from many of the concerns of modern com- 
puting. Graphical user interfaces, parallel and distributed computing, communication and 
security protocols, and various other sorts of computation do not easily fit the traditional 
picture of computing from input strings to output strings. Abstract state machines (ASMs) 
were introduced for the purpose of modeling algorithms at their natural level of abstraction, 
as opposed to the far lower level of abstraction usually needed by a Turing machine model. 
That ASMs fulfill their purpose was at first an empirical fact, supported by numerous case 
studies, not only of algorithms in the usual sense but also of whole programming languages 
and of hardware; see [11] for many examples. The Abstract State Machine Thesis, first pro- 
posed in [7] and then elaborated in [8l[9], asserts that every algorithm is equivalent, on its 
natural level of abstraction, to an abstract state machine. Beginning in [10] and continuing 
in [I]) [2] J [3], and [1], the thesis has been proved for various classes of algorithms. In each 
case, the class of algorithms under consideration was defined by postulates describing, in 
very general terms, the nature of the algorithms, and in each case the main theorem was 
that all algorithms of this class are equivalent, in a strong sense, to ASMs. 

The thesis was proved first, in [10], for the class of algorithms that are sequential 
(i.e., proceed in discrete steps and do only a bounded amount of work per step) and do 
not interact with the external environment within steps. (The environment is allowed to 
intervene between steps to change the algorithm's state.) 

Subsequent work extended the result in two directions. Parallel algorithms, in which 
a bound on work per step applies to each processor but not to the algorithm as a whole, 
were treated in [T] but still without intrastep interaction with the environment. In [21 [31 
H], intrastep interaction was added to sequential computation, subject to a restriction to 
"ordinary" interaction, and the ASM thesis was proved for the resulting class of algorithms. 
In both of these directions, the standard syntax of ASMs, as presented in [9], was adequate, 
with only very minor modifications. 

In the present paper and its companion paper [5|, we continue this tradition, now 
removing the restriction to ordinary interaction. That is, we propose the postulates in [5] 
as a general description of sequential algorithms interacting with their environments, and 
we show in the present paper that all algorithms that satisfy the postulates are behaviorally 
equivalent, in a strong sense, to ASMs. 

There is, however, an important diff'erence between this work and the earlier proofs of 
the ASM thesis. The traditional ASM syntax and semantics from [9] are no longer adequate. 
They require a significant extension, allowing an ASM program (1) to refer to the order in 
which the values of external functions are received from the environment and (2) to declare 
a step complete even if not all external function values have been determined. Neither of 
these two possibilities was permitted by the postulates defining "ordinary algorithm" in [2]. 

In [5], we presented postulates that permit both of these possibilities, and we argued 
that these postulates capture the general concept of sequential, interactive algorithm. In 
the present paper, we extend the syntax and semantics of abstract state machines so that 
non-ordinary algorithms become expressible. The main contributions of this paper are 

• syntax and semantics for ASMs incorporating interaction that need not be ordinary, 

• verification that ASMs satisfy the postulates of [5], and 
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• proof that every algorithm satisfying the postulates is equivalent, in a strong sense, 
to an ASM. 

Most design decisions about the syntax and semantics of general interactive ASMs were 
guided, and often forced, by the axiomatisation of appropriate algorithms in the companion 
paper [5]. Sections [2] and El defining the syntax and semantics of interactive ASMs are 
self-contained and could in principle be read independently of [5] , but we refer the reader to 
[5], and sometimes also to [2l[3l|4], for extensive discussion, motivation and justification of 
some of the choices made, as well as the relation to other work. Sections [4] and [5l relating 
the ASMs of section [2] to algorithms as axiomatized in [5] , use the definitions and results of 
[5]. We presume that the reader has a copy of the companion paper j5] available, but, as 
an aid to intuition, we summarize briefly the main content of the postulates. 

The states of an algorithm are structures for a finite vocabulary T, and certain states 
are designated as initial states. The algorithm's interaction with the environment (during 
a step) is given by a history, which consists of a function sending the algorithm's queries 
to the environment's answers, together with a linear pre-order telling in what order the 
answers were received. The algorithm tells what queries are to be issued, on the basis of 
the state and the past history. On the same basis, it also tells whether the current step is 
ended; if so, it tells whether the step has succeedd or failed, and in the case of success it 
tells how the state is to be updated. The updating changes the interpretations of some of 
the function symbols, but it does not affect the base set. All of the preceding aspects of 
the algorithm are required to be invariant under isomorphism of T-structures. Finally, the 
"small-step" property of the algorithm is ensured by a postulate saying that the queries to 
be issued, the decisions about ending the step and about success, and the updates depend 
only on the history plus a specific finite part of the state. For the technical details of the 
formulation of the postulates, we refer to O Section 3]. 

2. Interactive Small-Step ASMs: Syntax 

Ordinary interactive small-step ASMs are defined in [3]. In the companion paper [5], 
we axiomatized general interactive small-step algorithms. In this and the next sections, we 
define general interactive small-step ASMs. This new ASM model is an extension of the 
ASM model in [3]. The extension incorporates capabilities for taking into account the order 
of the environment's replies and for ending a step before all queries have been answered. We 
repeat here, for the sake of completeness, some definitions from [3 [5], but we do not repeat 
the detailed discussion and motivation for these definitions. We provide detailed discussion 
and motivation for those aspects of the present material that go beyond what was in [3l E]. 

In this section we describe the syntax of ASM programs, accompanied with some intu- 
itive indications of their semantics. Precise semantics is given in the next section. 

2.1. Vocabularies. An ASM has a finite vocabulary T complying with the following con- 
vention, exactly as required for interactive small-step algorithms in [5]. 

Convention 2.1. 

• A vocabulary T consists of function symbols with specified arities. 

• Some of the symbols in T may be marked as static, and some may be marked as 
relational. Symbols not marked as static are called dynamic. 
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• Among the symbols in T are the logic names: nullary symbols true, false, and 
undef ; unary Boole; binary equality; and the usual propositional connectives. All 
of these are static and all but undef are relational. 

• An T-structure consists of a nonempty base set and interpretations of all the function 
symbols as functions on that base set. 

• In any T-structure, the interpretations of true, false, and undef are distinct. 

• In any T-structure, the interpretations of relational symbols are functions whose 
values lie in {truex, f alsex}- 

• In any T-structure X, the interpretation of Boole maps truex and falsex to 
truex and everything else to f alsex. 

• In any T-structure X, the interpretation of equality maps pairs of equal elements 
to truex and all other pairs to f alsex. 

• In any T-structure X, the propositional connectives are interpreted in the usual 
way when their arguments are in {truex, f alse^}, and they take the value f alsex 
whenever any argument is not in {truex, falser}. 

• We may use the same notation X for a structure and its base set. 

• We may omit subscripts X, for example from true and false, when there is no 
danger of confusion. □ 

In addition, the ASM has an external vocabulary E, consisting of finitely many external 



but their semantics is quite different. If / is an n-ary external function symbol and a is an 
n-tuple of arguments from a state X, then the value of / at a is not stored in the state but 
is obtained from the environment as the reply to a query. 

Remark 2.2. The ASM syntax of [3] included commands of the form Outputj(i) where t is 
a term and I is a so-called output label. These commands produced an outgoing message, 
regarded as a query with an automatic reply "OK." In the present paper, we shall include 
commands for issuing the queries associated with external function calls even when the reply 
might not be used in the evaluation of a term. These issue commands subsume the older 
Output commands, so we do not include the latter in our present syntax. This is why the 
preceding paragraph introduces only the external vocabulary and not an additional set of 
output labels. Note in this connection that the simulation of ordinary interactive small-step 
algorithms by ASMs in [3] did not use Output rules. □ 

Convention 2.3. Note that by Convention 1 2 . 1 1 only function symbols in T admit two sorts 
of markings. They can be either static or dynamic and they can be relational or not. No 
such markings are applied to the external function symbols. All symbols in E are considered 
static and not relational. □ 

Remark 2.4. In this convention, "static" does not mean that the values of external func- 
tions cannot change; it means that the algorithm cannot change them, although the envi- 
ronment can. External functions cannot be the subject of updates in an ASM program, 
and in this respect they have the same syntax as static function symbols from T. 

We do not declare any external function symbols to be relational because such a decla- 
ration would, depending on its semantical interpretation, lead to one of two difficulties. 

"'^The symbol E for the external vocabulary is the Greek capital epsilon, in analogy with the Greek capital 
upsilon T for the algorithm's vocabulary. 




These symbols are used syntactically exactly like the symbols from T, 
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One possibility would be to demand that the queries resulting from relational external 
functions get replies that are appropriate values for such functions, namely only true and 
false. This imposes a burden on the environment, and a fairly complicated one, since it 
may not be evident, by inspection of a query, what external function symbol produced it 
(see the discussion of templates below). We prefer in this paper to keep the environment 
unconstrained. 

A second possibility for handling relational external functions is to allow the environ- 
ment to give arbitrary, not necessarily Boolean, replies to the queries resulting from these 
symbols. Then we could have non-Boolean values for Boolean terms, and we would have to 
decide how to handle this pathological situation, for example when it occurs in the guard 
of a conditional rule. In |3l Section 5], this approach was used, with the convention that 
this sort of pathology would cause the conditional rule to fail. In our present situation, 
that convention no longer looks so natural, because the pathological value might be one 
that the algorithm didn't really need. (Recall that in [2l [3l 0] algorithms needed replies 
to all of their queries.) One can probably find a reasonable convention for dealing with 
this pathology even for general interactive algorithms, but the convention would appear 
somewhat arbitrary, and it seems simpler to prohibit external function symbols from being 
relational. 

It might appear that this prohibition could cause a problem in programming. Suppose, 
for example, that we know somehow that the environment will provide a Boolean value for 
a certain nullary external function symbol p. Then we might want to use p as the guard in 
a conditional statement. But we can't; since p isn't a relational symbol, it is not a Boolean 
term, and so (according to the definitions in the following subsections) it is ineligible to 
serve as a guard. Fortunately, this problem disappears when we observe that p = true is a 
perfectly good guard (since equality is relational) and it has the same value as p (since we 
allegedly know that p gets a Boolean value). If, on the other hand, we're not sure that the 
environment will provide a Boolean value, then a particular decision about how to handle 
a non-Boolean value can be built into the program. For example, the convention from [3] 
would be given by 

do in parallel 

if p = true then Rl endif 

if p = false then R2 endif 

if p 7^ true and p ^ false then fail endif 



If one wanted to adopt a convention such as this, not only in a particular program but 
throughout some programming language, then one could adjoin external relational symbols 
to our syntax and treat them as syntactic sugar for pieces of code like that exhibited above. 

2.2. Terms. 

Definition 2.5. The set of terms is the smallest set containing f{ti, . . . ,tn) whenever it 
contains ti, . . . , t„ and / is an n-ary function symbol from TuE. (The basis of this recusive 
definition is, of course, given by the 0-ary function symbols.) □ 




enddo . 
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This definition formalizes the assertion above that the external function symbols in E 
are treated syntactically like those of the state vocabulary T. 

Notice that the terms of ASMs do not involve variables. In this respect they differ from 
those of [3], those of first-order logic, and those used in the bounded exploration witnesses 
of [5]. It may be surprising that we can get by without variables while describing algorithms 
more general than those of where we used variables. Recall, however, that the variables 
in the ASM programs of [3] are bound by the let construct, and that this construct is 
eliminable according to [H Section 7]. In the present paper, we use let only as syntactic 
sugar (see Subsection 12.61 belowl . and so we do not need variables in our basic formalism. 

Definition 2.6. A Boolean term is a term of the form /(t) where / is a relational symbol. □ 

Convention 2.7. By T-terms, we mean terms built using the function symbols in T and 
variables. These are terms in the usual sense of first-order logic for the vocabulary T. Terms 
as defined above, using function symbols from T U E but not using variables, will be called 
ASM-terms when we wish to emphasize the distinction from T-terms. A term of the form 
/(t) where / G E will be called a query-term or simply q-term. 

The evaluation of an T-term (in a given state with given values for the variables) 
produces an element of the state, the value of the term. The same applies to q-terms, but 
there the situation is more involved. Consider a q-term s = /(t) and suppose that t has 
been evaluated to a. First the evaluation of /(a) produces a query, called the q- value of s. 
If and when a reply to the query is received the evaluation of s is complete and we get the 
actual value s. See details in section [3l 

2.3. Guards. In [3], the guards ip in conditional rules if (f then Rq else Ri endif were 
simply Boolean terms. We shall need guards of a new sort to enable our ASMs to take into 
account the temporal order of the environment's replies and to complete a step even when 
some queries have not yet been answered. 

We introduce timing explicitly into the formalism with the notation (s ^ t), which is 
intended to mean that the replies needed to evaluate the term s arrived no later than those 
needed to evaluate t. It may seem that we are thereby just introducing a new form of 
Boolean term, but in fact the situation is more complicated. 

In the presence of all the replies needed for both s and t, the guard s ^ t will have a 
truth value, determined by relative timing of replies. At the other extreme, if neither s nor 
t can be fully evaluated, then (s < t) must, like s and t themselves, have no value. So far, 
(s ^ t) behaves like a term. 

Between the two extremes, however, there are situations where the replies provided by 
the environment suffice for the evaluation of one but not both of s and t. If replies suffice 
for s but not for t, then (s ^ t) is true; if replies suffice for t but not for s, then (s ^ t) is 
false. Here, (s ^ t) behaves quite differently from a term, in that it has a value even when 
one of its subterms does not. 

This behavior of {s ^ t) also enables an ASM to complete its step while some of its 
queries remain unanswered. The execution of a conditional rule with (s ^ t) as its guard 
can proceed to the appropriate branch as soon as it has received enough replies from the 
environment to evaluate at least one of s and t, without waiting for the replies needed to 
evaluate the other. 

We shall need similar behavior for more complicated guards, and for this purpose we 
shall use the propositional connectives of Kleene's strong three- valued logic, which perfectly 
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fits this sort of situation \12\ §64]. We use tlie notations X and Y for the conjunction and 
disjunction of this logic. They differ from the classical connectives A and V in that ip X tp 
has the value false as soon as either of (/? and ijj does, even if the other has no value, and 
ipY ip has the value true as soon as either of and ip does, even if the other has no value. In 
other words, if the truth value of one of the constituents ip and il) suffices to determine the 
truth value of the compound formula, regardless of what truth value the other constituent 
gets, then this determination takes effect without waiting for the other constituent to get 
any truth value at all. (It is customary, in discussions of these modified connectives, to 
treat "unknown" as a third truth value, but it will be convenient for us to regard it as 
the absence of a truth value. Such absences occur anyway, even for ordinary terms, when 
the existing replies do not suffice for a complete evaluation, and it seems superfluous to 
introduce another entity, "unknown," to serve as a marker of this situation.) 
For detailed formal definition of the semantics of guards see section [3] below. 

Definition 2.8. The set of guards is defined by the following recursion. 

• Every Boolean term is a guard. 

• If s and t are terms, then (s ^ is a guard. 

• li if and if) are guards, then so are (yj X ^), {ip T ip), and -k^. 

□ 

Notice that the first clause of this definition allows, in particular, terms built by means 
of the ordinary, 2-valued connectives from other Boolean terms. 

2.4. Rules. Most of the definition of ASM rules is as in [3]. The differences are in the use 
of issue rules in place of the less general Output rules of [3] and in the more general notion 
of guard introduced above. 

Definition 2.9. The set of ASM rules is defined by the following recursion. 

• If / € T is a dynamic n-ary function symbol, if ti, . . . ,tn are terms, and if io is a 
term that is Boolean if / is relational, then 

f(ti, ■ ■ ■ ,tn) := to 

is a rule, called an update rule. 

• If / G E is an external n-ary function symbol and if ti, . . . , t„ are terms, then 

issue /(ti, . . . ,tn) 

is a rule, called an issue rule. 

• fail is a rule. 

• If 9? is a guard and if Rq and Ri are rules, then 

if ip then Rq else i?i endif 

is a rule, called a conditional rule. i?o and Ri are its true and false branches, 
respectively. 

• If A; is a natural number (possibly zero) and if Ri, . . . , R^ are rules then 

do in parallel Ri, . . . , Rk enddo 

is a rule, called a parallel combination or block with the subrules Ri as its compo- 
nents. 

□ 
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We may omit the end-markers endif and enddo when they are not needed, for example 
in very short rules or in programs formatted so that indentation makes the grouping clear. 

Example 2.10. In [5] we have analyzed the algorithm of a broker who offers a block of a 
shares of stock s at price p to clients i by issuing queries qi{s,p, a), i = 0, 1. The client whose 
reply reaches the broker first wins the sale. We consider here a variant of the example in 
which every reply from a client is considered to be positive, so that a client refuses the offer 
by not answering at all. If both replies reach the broker simultaneously then, for simplicity, 
client is preferred. There is a further timeout query t, so that if no client replies by 
timeout, the sale is canceled. Given that t,qi € E and s,p, a, 0,1 are some T-terms, an 
equivalent ASM program might be 

if -^{qo{s,p, a) ^ t) X ^{qi{s,p, a) ^ t) then cancel 
else if qo(s,p,a) ^ qi{s,p,a) then sell to 
else sell to 1 

where cancel and sell to i stand for some updates recording respectively canceling the 
sale or selling to client i in the state. 



2.5. Queries and templates. We recall the query-reply model that is discussed at length 
in [21 [3] and summarized in [5]. In addition to vocabulary T and external vocabulary E, an 
ASM has a set A of labels. 

Definition 2.11. A potential query in T-structure X is a finite tuple of elements of X U A. 
A potential reply in X is an element of X. □ 

Here XuA is the disjoint union of X and A. So if they are not disjoint, then they are to 
be replaced by disjoint isomorphic copies. We shall usually not mention these isomorphisms; 
that is, we write as though X and A were disjoint. 

The correspondence between external function calls on the one hand and queries on the 
other hand is mediated by a template assignment, defined as follows. 

Definition 2.12. For a fixed label set A, a template for n-ary function symbols is any 
tuple in which certain positions are filled with labels from A while the rest are filled with 
the placeholders ^1, . . . , ^n, occurring once each. We assume that these placeholders are 
distinct from all the other symbols under discussion (T U E U A). If Q is a template for 
n-ary functions, then we write Q[ai, . . . , an] for the result of replacing each placeholder 
in Q by the corresponding Oj. □ 

Thus if the Oj are elements of a state X then Q[ai, . . . , a„] is a potential query in X. 



Definition 2.13. For a fixed label set and external vocabulary, a template assignment 
is a function assigning to each n-ary external function symbol / a template / for n-ary 
functions. □ 
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The intention, which will be formalized in the semantic definitions of the next section, 
is that when an ASM evaluates a term where / € E, it first computes the 

values Oj of the terms ti, then issues the query f[ai, . . . , an], and finally uses the answer to 
this query as the value of /(ii, . . . ,tn)- 

Template assignments solve the problem whether two distinct syntactic occurrences 
of the same function symbol with the same arguments refer to the same query or denote 
distinct queries. Sometimes it is convenient to have it one way, and sometimes another. For 
extensive discussion of template assignments we refer the reader to [3] . 

2.6. Programs. Now we are ready to define ASM programs. 

Definition 2.14. An interactive, small-step, ASM program H consists of 

• a finite vocabulary T, 

• a finite set A of labels, 

• a finite external vocabulary E, 

• a rule R, using the vocabularies T and E, the underlying rule of 11, 

• a template assignment with respect to E and A. 

This completes the definition of the syntax of ASMs. It will, however, be convenient 
notationally and suggestive conceptually to introduce abbreviations, syntactic sugar, for 
certain expressions. Specifically, we adopt the following conventions and notations. 

Convention 2.15. We use skip for the parallel combination with no components, officially 
written do in parallel enddo. 

Convention 2.16. The parallel combination with k > 2 components -Ri, . . . ,Rk can be 
written as Ri par . . . par 

Semantically, par is commutative and associative, that is, rules that differ only by the 
order and parenthesization of parallel combinations will have the same semantic behavior. 
Thus, in contexts where only the semantics matters, parentheses can be omitted in iterated 
pars. 

Convention 2.17. We abbreviate if (p then R else skip endif as if (p then R endif 

Convention 2.18. For any term t, the Boolean term t = t is denoted by tl, read as "t 
bang." □ 

These bang terms may seem trivial, but they can be used to control timing in the 
execution of an ASM. If the term t involves external function symbols, then the rule if t! 
then R endif differs from R in that it issues the queries needed for the evaluation of t and 
waits for the replies before proceeding to execute R. 

Convention 2.19. We use the following abbreviations: 



{s -< t) for ^(t ^ s), 

{s ^ t) for (s ^t) X{t^ s), 

{s >z t) for {t :< s), and 

{s y t) for {t -< s) 



Parentheses may be omitted when no confusion results. □ 
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The final two items of syntactic sugar involve two ways of binding variables to terms 
by let operators. Our syntax so far does not include variables, but it is easy to add them. 

Definition 2.20. Fix an infinite set of variables. ASM rules with variables are defined 
exactly like ASM rules, with variables playing the role of additional, nullary, static symbols. 

□ 

Convention 2.21. li R{vi, . . . ,Vk) is a rule with distinct variables Vi, and if ti, . . . , are 
terms then the let-by-name notation 

n-let vi=ti,...,Vk=tk in R{vi, . . . , ffc) 

means tfc). □ 

Convention 2.22. If R{vi, . . . , Vk) is a rule with distinct variables Vi, and if ti, . . . , tk are 

terms then the let-by-value notation 

v-let vi=ti,... ,Vk=tk in R{vi, . . . ,Vk) 

abbreviates 

if ti! A • • • A tfc! then R{ti, . . . , tfc). 

□ 

For both n-let and v-let rules, the Vi are called the variables of the rule, the tj its 
bindings, and R{vi , . . . ,Vk) its body. Each of the variables Vi is bound by this rule at its initial 
occurrence in the context Vi = ti and at any free occurrences in R{vi, . . . ,Vk)- (Occurrences 
of the variables Vi in the terms tj are not bound by the n-let or v-let construction, 
regardless of whether i = j or not.) 

The let-by-name notation simply uses variables Vi as placeholders for the terms tj. The 
let-by-value notation, in contrast, first evaluates all the ti and only afterward proceeds to 
execute the rule R. In this sense, the two forms of let correspond to call-by-name and 
call-by-value in other situations. 

Example 2.23. Let t be a term representing a query asking the environment for a fresh 
object, like constructors in object-oriented languages, so that distinct textual occurrences 
of t in a program represent distinct queries with supposedly distinct replies. Let R{t) be 
a rule with several syntactic occurrences of t. Then n-let x = t in R{x) provides just an 
abbreviation for R{t) (if it is indeed shorter than R{t)), while v-let x = t in R{x) has a 
completely different meaning: first ask the environment for a fresh object, await the reply, 
and then use it repeatedly. 

3. Interactive Small-Step ASMs: Semantics 

Throughout this section, we refer to a fixed structure X. We start by recalling the 
notion of history introduced and motivated in the companion paper [5]. Then we define the 
semantics of terms, guards, and rules in the structure X, relative to histories ^. In each 
case, we tacitly presume a template assignment. (Unlike X, the history ^ will not remain 
fixed, because the meaning of a guard under history ^ can depend on the meanings of its 
subterms under initial segments of ^.) In each case, the semantics will specify a causality 
relation. In addition, for terms and guards the semantics may provide a value (Boolean 
in the case of guards); for rules, the semantics may declare the history final, successful, or 
failing, and may provide updates. 
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3.1. Histories. The notion of history as a formal model of intrastep interaction of an 
algorithm and its environment has been introduced and extensively discussed in [5]. We 
recall the relevant definitions. 

Definition 3.1. An answer function for a state X is a partial map from potential queries 
to potential replies. A history for X is a pair ^ = <g) consisting of an answer function ^ 
together with a linear pre-order <g of its domain. By the domain of a history ^, we mean 
the domain Dom(,^) of its answer function component, which is also the field of its pre-order 
component. □ 

Recall that a pre-order of a set D is a reflexive, transitive, binary relation on D, and 
that it is said to be linear if, for all x,y D, x < y or y < x. The equivalence relation 
defined by a pre-order is given by 

X = y -4=^ X < y < X. 
The equivalence classes are partially ordered by 

[x] < [y] X <y, 

and this partial order is linear if and only if the pre-order was. 

The length of a linear pre-order is defined to be the order type of the induced linear 
ordering of equivalence classes. (We shall use this notion of length only in the case where 
the number of equivalence classes is finite, in which case this number serves as the length.) 

We also write x < y to mean x < y and y ^ x. (Because a pre-order need not be 
antisymmetric, x < y is in general a stronger statement than the conjunction oi x < y 
and x 7^ y.) When, as in the definition above, a pre-order is written as <^, we write the 
corresponding equivalence relation and strict order as =^ and <^. The same applies to other 
subscripts and superscripts. 

Definition 3.2. Let < be a pre-order of a set D. An initial segment of D with respect to 
< is a subset S of D such that whenever x < y and y S then x £ S. An initial segment 
of < is the restriction of < to an initial segment of D with respect to <. An initial segment 
of a history {(^, <^) is a history t "S*, <^ \ S), where S is an initial segment of Dom(^) with 
respect to <^. (We use the standard notation \ for the restriction of a function or a relation 
to a set.) We write r/ < ^ to mean that the history rj is an initial segment of the history ^. □ 

3.2. Terms. The semantics of terms presumes not only an T-structure X and a template 
assignment but also a history ^. The semantics is essentially the same as in [3], except that 
we do not use variables here. In particular, the history ^ is involved only via the answer 
function the pre-order is irrelevant. 

The semantics of terms specifies, by induction on terms t, the queries that are caused 
by ^ under the associated causality relation and sometimes also a value Yal{t, X,(^). In 
the case of query-terms, the semantics may specify also a query- value q-Val(t, X, ,^). An 
evaluation of a query-term t is intended to produce first a query, called the q-value of t and 
denoted q-Val(t, X,^); the reply, if any, to the query is the actual value Val(t, X,^) of t. 

Definition 3.3. Let t be the term /(ti, . . . , tn)- 

• If Val{ti, X,S,) is undefined for at least one i, then Val(t, X,^) is also undefined, and 
^ q if and only if ^ q for at least one i. If / S E then q-Val(t, X, ^) is also 
undefined. 
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• If, for each i, Val(tj, X, ^) = Oj and if / E T, then Val(t, X,^) = fxiai, ■ ■ ■ , an), and 
no query q is caused by ^. 

• If, for each i, Val{ti, X,^^) = ai, and if / G E, then q-Val(t,X, ^) is the query 
/[ai,...,aj. 

— If q-Val(t,X, ^) = q £ Dom(^), then Val(t,X, ^) = ^(g), and no query is caused 

bye 

— If q-Val(i, X, ^) = q ^ Dom(,^), then Val(t,X, ^) is undefined, and q is the 
unique query such that ^ q. 

□ 

We record for future reference three immediate consequences of this definition; the 
proofs are routine inductions on terms. 

Lemma 3.4. Val(t, X, ^) is defined if and only if there is no query q such that ^ q. 
Lemma 3.5. If ^ q then q ^ Dom(^). 

Lemma 3.6. If r]<(^ (or even if merely ri Q S,) and if Val(t, X, ij) is defined, then Val(t, X, ^) 
is also defined and these values are equal. Similarly, if t is a q-term such that q-Val(i, X, rj) 
exists, then q-Val(t, X, r/) = q-Val(t, X, ^). 

3.3. Guards. The semantics of guards, unlike that of terms, depends not only on the 
answer function but also on the preorder in the history. Another difference from the term 
case is that the values of guards, when defined, are always Boolean values. Guards share 
with terms the property that they produce queries if and only if their values are undefined. 

Definition 3.7. Let 93 be a guard and ^ a history in an T-structure X. 

• If 99 is a Boolean term, then its value (if any) and causality relation are already 
given by Definition 13.31 

• If 99 is (s ^ t) and if both s and t have values with respect to ^ then Val((/?, X, ^) = 
true if, for every initial segment rj <^ such that Val(t, X, ij) is defined, Val(s, X, rf) 
is also defined. Otherwise, Val(93,X, = false. Also declare that ^ q for no q. 

• If (/? is (s ^ t) and if s has a value with respect to ^ but t does not, then define 
Val((/3,X, ^) to be true; again declare that ^ q for no q. 

• If 99 is (s ^ t) and if t has a value with respect to ^ but s does not, then define 
Val(99,X, ^) to be false; again declare that ^ q for no q. 

• If is (s ^ t) and if neither s nor t has a value with respect to ^ then Val((/7, X, ^) 
is undefined, and ^ q if and only if ^ h^j^ g or ^ q. 

• If ip is X tpi and both tpi have value true, then Val((/9, X, ^) = true and no query 
is produced. 

• If ip is ipo X "01 and at least one ipi has value false, then Val((/7, X, ^) = false and 
no query is produced. 

• If 93 is '00 ^ ipi and one has value true while the other, tpi-i, has no value, then 
Val((/3, X, ^) is undefined, and q if and only if ^ 1- 

• If is 00 ^ V'l and neither ipi has a value, then Val((/?, X,^) is undefined, and ^ q 
if and only if h^* q for some i. 

• The preceding four clauses apply with Y in place of X and true and false inter- 
changed. 
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• If 9? is ^ip and tp has a value, then Val((^,X, ^) = -iVal(^/^, X, ^) and no query is 
produced. 

• If 93 is ^ip and ip has no value then Val((/?, X, ^) is undefined and ^ g if and only 
if e q. 

□ 

Remark 3.8. An alternative, and perhaps more intuitive, formulation of the definition of 
Val((s ^ ^) in the case where both s and t have values is to let ^' (resp. (,") be the 

shortest initial segment of ^ with respect to which s (resp. t) has a value, and to define 
Val((/9, X, ^) to be true if ^' < ^" and false otherwise. This is equivalent, in the light of 
Lemma 13.61 to the definition given above, but it requires knowing that the shortest initial 
segments mentioned here, and exist. That is clearly the case if the partial order 
associated to the preorder in ^ is a well-ordering, in particular if it is finite. Once we 
establish that ASMs satisfy the Bounded Work Postulate, it will follow that we can confine 
our attention to finite histories and so use the alternative explanation of Val((s ^ ^). 
The formulation adopted in the definition has the advantage of not presupposing that only 
finite histories matter. □ 

Example 3.9. The truth value of a timing guard (s ^ t) is defined in terms of the syntactic 
objects s and t, not in terms of their values. As a result, this truth value may not be 
preserved if s and t are replaced by other terms with the same values (in the given history 
not even if the replacement terms ultimately issue the same queries as the original ones. 
Here is an example of what can happen. Suppose p, q, and r are external function symbols, p 
being unary and the other two nullary. Suppose further that is a static nullary T-symbol. 
Consider a history ^ with three queries in its domain, pre-ordered as p[Ox] <g Q <^ and 
with ^(f) = Ox- Then the term p(0) has a value already for the initial segment of ^ of 
length 1; q gets a value later, namely for the initial segment of length 2; and p(r) gets a 
value only for the whole history ^, of length 3. Thus, the guards (p(0) -< q) and {q -< p{r)) 
are true, even though p(0) and p{r) have the same value and have, as the ultimate step in 
their evaluation, the answer to the query p[Ox]- D 

Just as for terms, the following lemmas follow immediately, by induction on guards, 
from the definition plus the corresponding lemmas for terms. 

Lemma 3.10. Val((^,X, ^) is defined if and only if there is no query q such that ^ q. 
Lemma 3.11. If ^ h^^ q then q ^ Dom(^). 

Lemma 3.12. If ^ ^ and if Va\{ip, X,r]) is defined, then Val((/3, X, ^) is also defined and 
these values are equal. 

Remark 3.13. Given the semantics of guards, we can amplify the statement, in the Re- 
mark 3.10. of [5], that guards express descriptions like "p has reply a and p' has no reply." 
In view of Lemma 13.121 it is more accurate to say that a guard expresses that such a de- 
scription either is correct now or was so at some earlier time. The lemma says that, once a 
guard is true, it remains true when the history is extended by adding new elements later in 
the preorder, whereas a property like "p' has no reply" need not remain true. Thus, what 
a guard can really express is something like this: it either is now true or was once true that 
"p has reply a and p' has no reply yet." This particular example would be expressed by the 
guard {p = a) X {p ~< p'), where, for simplicity we have not introduced a separate notation 
for 0-ary symbols corresponding to the queries p and p' and the element a. 



14 



A. BLASS, Y. GUREVICH, D. ROSENZWEIG, AND B. ROSSMAN 



3.4. Rules. The semantics of a rule, for an T-structure X, an appropriate template as- 
signment, and a history ^, consists of a causality relation, declarations of whether ^ is final 
and whether it succeeds or fails, and a set of updates. 

Definition 3.14. Let i? be a rule and ^ a history for the T-structure X. In the following 
clauses, whenever we say that a history succeeds or that it fails, we implicitly also declare 
it to be final; contrapositively, when we say that a history is not final, we implicitly also 
assert that it neither succeeds nor fails. 

• If i? is an update rule /(ti, . . . , t„) := to and if all the ti have values Val(tj, X, ^) = Oj, 
then ^ succeeds for i?, and it produces the update set {(/, (oi, . . . , a„), qq)} and no 
queries. 

• If i? is an update rule /(ti, . . . , tn) ■= to and if some tj has no value, then is not 
final for R, it produces the empty update set, and ^ q if and only if ^ h^^ q for 
some i. 

• If i? is issue /(ti, .. . and if all the ti have values Val(tj,X, ^) = aj, then ^ 
succeeds for R, it produces the empty update set, and ^ q for the single query 
q = /[fli; • • • ) On] provided g ^ Dom(^); if g e Dom(^) then no query is produced. 

• If i? is issue f{ti, . . . , tn) and if some ti has no value, then ^ is not final for R, it 
produces the empty update set, and h;^ q if and only if hj^ g for some i. 

• If i? is fail, then fails for R; it produces the empty update set and no queries. 

• If is a conditional rule if ip then Rq else i?i endif and if ip has no value, then 

is not final for R, and it produces the empty update set. ^ q if and only if 

• If is a conditional rule if (p then Rq else i2i endif and if if has value true 
(resp. false), then finality, success, failure, updates, and queries are the same for 
R as for Rq (resp. Ri). 

• If i? is a parallel combination do in parallel Ri, . . . , R^ enddo then: 

hp? R 
^ (7 if and only if ^ h^^' g for some i. 

— The update set for R is the union of the update sets for all the components Ri. 
If this set contains two distinct updates at the same location, then we say that 
a clash occurs (for R, X, and ^). 

— ^ is final for R if and only if it is final for all the Ri. 

— ^ succeeds for R if and only if it succeeds for all the Ri and no clash occurs. 

— ^ fails for R if and only if it is final for R and either it fails for some Ri or a 
clash occurs. 

□ 

There is no analog for rules of Lemmas 13.41 and 13.101 A rule may issue queries even 
though it is final (in the case of an issue rule) or produces updates (in the case of parallel 
combinations) or both. There are, however, analogs for the other two lemmas that we 
established for terms and guards; again the proofs are routine inductions. 

Lemma 3.15. If ^ q then q ^ Dom(,^). 

Lemma 3.16. Let r] 

• If ?7 is final for R, then so is ^. 

• If r/ succeeds for R, then so does 

• 11 r] fails for R, then so does ^. 
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• The update set for R under ^ includes that under r]. 

The reader might find it useful at this point to work out the semantic details of the 
examples 12.101 and 12.231 comparing the results with the intuitive explanations given in the 
examples. 

Remark 3.17. Issue rules are the only way an ASM can issue a query without necessarily 
waiting for an answer. More precisely, if a history causes a rule to issue a query and is also 
final for that rule, then that rule either is an issue rule or contains a subrule with the same 
property. Thus, we cannot eliminate issue from the syntax without reducing the power of 
ASMs. 

3.5. ASM definition. If ^ is a successful, final history for a rule R over an T-structure 
X, then R and ^ produce a successor for X. We need a preliminary lemma to ensure that 
this successor will be well-defined. Recall that, in the definition of the semantics of parallel 
rules, we defined "a clash occurs" (for a rule, template assignment, state, and history) to 
mean that the update set contains two different updates of the same location. 

Lemma 3.18. If an ASM rule with a template assignment is (final and) successful in a 
certain state with a certain history, then no clash occurs for this rule, template assignment, 
state, and history. 

Proof. Use induction on rules. In the case of a parallel composition, the semantics explicitly 
provided for failure if a clash occurs. All other cases are trivial thanks to the induction 
hypothesis. □ 

Definition 3.19. Fix a rule R endowed with a template assignment, and let X be an T- 
structure and ^ be a history for X. If ^ is successful and final for R over X, and if A~^{X, ^) 
is the update set produced by R, X, and ^, then the successor t{X,S,) of X with respect 
to R and ^ is the T-structure Y such that 

• Y has the same base set as X, 

. /y(a) = b if (/,a,6) G A+(X,0, and 

• otherwise Y interprets function symbols exactly as X does. □ 

Lemma 13.181 ensures that the second clause of the definition does not attempt to give 
/y(a) two different values. 

Now we are ready to give a complete definition of ASMs. 

Definition 3.20. An interactive, small-step, ASM consists of 

• an ASM program 11 in some vocabulary T, 

• a nonempty set S of T-structures called states of the ASM, and 

• a nonempty set T C 5 of initial states, 

subject to the requirements that S and X are closed under isomorphism and that S is closed 
under transitions in the following sense. If X G 5, if is a successful, final history for 11 in 
X, and if A~^{X,S,) is the update set produced by 11, X, and ^, then the successor t{X,^) 
of X with respect to 11 and ^ is also in S. The successor is the next state for X with respect 
to n, endowed with the given template assignment, and to S,. □ 
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4. ASMS ARE Algorithms 

This section is devoted to checking that ASMs, as just defined, are algorithms, as 
defined in [5]. In this section (and in the rest of the paper) we freely use the notions and 
results of [5]. 

4.1. Obvious postulates. Much of this checking is trivial: Everything required by the 
States Postulate of [5] is in our definition of ASMs. The causality relation required by the 
Interaction Postulate of [5] is included in our semantics for ASMs. (Strictly speaking, the 
causality relation defined for ASMs should be restricted to finite histories, to comply with the 
statement of the Interaction Postulate.) The Isomorphism Postulate of [5] is also obvious, 
because everything involved in our ASM semantics is invariant under isomorphisms. So the 
only postulates requiring any real checking are the Step and Bounded Work Postulates. 

4.2. Step Postulate. The ASM semantics provides notions of finality, success, failure, 
and updates. In addition to these, the Step Postulate of [5] requires (in Part C) a notion 
of next state and (in Part A) assurance that every complete, coherent history has a final 
initial segmen10. The next state is given by Definition 13.191 and it is well-defined because 
of Lemma 13.181 

To show that every complete, coherent history has a final initial segment, we actually 
show more, namely that every complete history is final. The main ingredient here is the 
following lemma. 

Lemma 4.1. If a history ^ is not final for a rule i? in a state X, then ^ q for some 
query q. 

Proof. We proceed by induction on the rule R, according to the clauses in the definition of 
the semantics for rules. Since we are given that ^ is not final, we can ignore those clauses 
that say ^ is final, and there remain the following cases. 

If R is either an update rule /(ti, . . . , t„) := to or an issue rule issue /(ti, . . . , tn) and 
some ti has no value, then by Lemma [3.41 there is a query q such that ^ q, and therefore 

e^f q. 

If i? is a conditional rule whose guard has no value, then the same argument applies 
except that we invoke Lemma 13.101 in place of Lemma 13.41 

If ii is a conditional rule whose guard has a truth value, then the lemma for R follows 
immediately from the lemma for the appropriate branch of R. 

Finally, suppose R is a parallel combination. Since ^ is not final for R in X, there is 
a component Ri for which ^ is not final. By induction hypothesis, ^ h^' q for some q, and 
then we also have ^ 1-;^ q. □ 



We implicitly use the notions of coherent history and complete history as defined for algorithms in 
general in [SI Section 3], with respect to the causality relation of the ASM program as defined in Section [S] 
above 
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To complete the verification of tlie Step Postulate, we observe that, in the situation of 
the lemma, q S Issued^ (^) and, by Lemma [3. 151 1 ^ Dom(^). Thus, q E Pending^ (^), and 
so ^ is not complete for R and X. 

Remark 4.2. Because we have promised to prove that every algorithm is equivalent to 
an ASM, one might think that every algorithm enjoys the property established for ASMs 
in the preceding proof, namely that all complete histories are final. This is, however, not 
the case, because this property is not preserved by equivalence of algorithms. For a simple 
example, consider an algorithm where, for every state, the empty history is the only final 
history, and it causes one query, while all other histories cause no queries. Since the empty 
history is an initial segment of every history. Part A of the Step Postulate is satisfied, even 
though the complete histories, those in which the one query is answered, are not final. 

Notice, however, that converting an arbitrary algorithm to an equivalent one in which all 
complete histories are final is much easier than converting it to an equivalent ASM. Simply 
adjoin all non-final, complete histories for any state to the set of final, failing histories for 
that state. None of the histories newly adjoined here can be attainable, so the modified 
algorithm is equivalent to the original. □ 



4.3. Bounded Work Postulate. We turn now to the Bounded Work Postulate of [5]. Its 
first assertion, about the lengths of queries, is easy to check. Since the postulate refers 
only to coherent histories (actually to attainable, final histories, but coherence suffices for 
the present purpose) , any query in the domain of such a history is caused by some history. 
By inspection of the definition of ASM semantics, all queries that are ever caused are of 
the form /[ai, . . . , a^] and thus have the same length as the template / assigned to some 
external function symbol. As there are only finitely many external function symbols, the 
lengths of the queries are bounded. 

The next assertion of the Bounded Work Postulate, bounding the number of queries 
issued by the algorithm, will be a consequence of the following lemma. 

Lemma 4.3. For any term t, guard (/?, or rule i?, there is a natural number -B(t), B[(p), 
or B{R) that bounds the number of queries caused in a state X by initial segments of a 
history ^. The bound depends only on t, ip^ or R, not on X or ^. 

Proof. Go to the definition of the semantics of ASMs and inspect the clauses that say queries 
are caused. The result is that, first, we can define the desired B{t) for terms by 

n 

B{f{ti,...,tn)) = l + Y,B{ti). 

1=1 

The sum here comes from the first clause in the definition of semantics of terms, and the 
additional 1 comes from the last clause. It is important here that, according to Lemma [3.61 
all the initial segments of any ^ that produce values for a ti produce the same value aj. 
Thus, the last clause of the definition produces at most one query f[ai, . . . , an]- 

Similarly, we obtain for guards (p (other than the Boolean terms already treated above) 
the estimates 

B{{s^t)) = B{s) + B{t) 
B{iPoXi;i) = B{ijoriJi) = B{i;o) + BiiJi) 
Bi^iP) = Bi^p). 
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For rules, we obtain 

n 

B{f{ti,...,tn):=to) = 

n 

B {issue f{ti,...,tn)) = l + Y,B{ti) 

i=l 

S(fail) = 
B{if LP then Rq else Ri) = B{ip) + B{Ro) + B{Ri) 

k 

B(do in parallel = ^B{Ri). 

i=l 

(In the bound for conditional rules, we could reduce B(Ro) + B{Ri) to max{S(i?o)) B{Ri)} 
by using the fact that all the initial segments of any ^ that produce values for 99 produce 
the same value.) □ 

Since Issued^ (^) is the set of queries caused in state X, under rule R, by initial segments 
of ^, the lemma tells us that |Issued^(^)| < B(R), independently of X and ^. This verifies 
the second assertion of the Bounded Work Postulate. (It actually verifies more, since the 
proof applies to all histories not merely to attainable ones.) 

To complete the verification of the Bounded Work Postulate, it remains only to produce 
bounded exploration witnesses for all ASMs. We shall do this by an induction on rules, 
preceded by proofs of the analogous results for terms and for guards. 

Lemma 4.4. For every ASM-term t (without variables) there exists a finite set W{t) of 
T-terms (possibly with variables) such that, whenever {X,^) and (X',^) agree on W{t), 
then: 

• If^h'^xl then ^ h*^, q. 

• Yal{t,X,0 = Val(t,X',e)- 

Recall that "agree on W{t)" means that each term in W{t) has the same value in X 
and in X' when the variables are given the same values in Range(i^). Recall also that an 
equation between possibly undefined expressions like Val(t, X, ^) means that if either side 
is defined then so is the other and they are equal. 

Proof. By a shadow of an ASM-term t, we mean a term t obtained from t by putting 
distinct variables in place of the outermost!! occurrences of subterms that begin with external 
function symbols. Thus, t is an T-term, and t can be recovered from ? by a suitable 
substitution of ASM-terms (that start with external function symbols) for all the variables. 

Notice that i fails to be uniquely determined by t only because we have not specified 
which variables are to replace the subterms. 

Outermost" means "maximal" in the sense that the occurrence in question is not properly contained 
in another such occurrence. In terms of the parse tree of t, it means that, on the path from the root of the 
whole tree to the root of the subtree given by the occurrence in question, there is no other occurrence of an 
external function symbol. 
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We define, by recursion on ASM-terms t, the set W{t) of T-terms as follows. If t is 
f{ti, ...,tn) then 

n 

W{t) = {i} u U W{U), 
1=1 

where t is some shadow of t. It follows immediately, by induction on t, that W{t) is finite. 
The verification that this W{t) satisfies the conclusion of the lemma is also by induction on 
t, following the clauses in the definition of the semantics of terms. 

Assume that i^'^O agree on W{t). Notice that they also agree on each 

W{ti), because W{ti) C W{t). 

Suppose first that Val(tj,X, ^) is undefined for some i. By induction hypothesis, 
Ysl(ti,X' ,(^) is also undefined, so the same clause of the semantics of terms applies in 
X and X' . That clause says that t has no value in either state and it issues those queries 
that are issued by any of the ti . Those are the same queries in X as in X' by the induction 
hypothesis. 

Prom now on, suppose that Val(tj,X, = for each i. By induction hypothesis, the 
same holds for X' , with the same a^'s. 

So if / G T then t gets the value fxiai, ■ ■ ■ , CLn) in X and the value fx'iO'i, • • • , o-n) in 
X' , and we must check that these values are the same. Recall that t is obtained from its 
shadow t by replacing each variable v in t with a certain ASM-term (t{v). Thus, the value 
/x(oi, . . . , On) of t in X is also the value of i in X when each variable v is assigned the 
value Val(cr(f ), X, ^) and similarly with X' in place of X. By induction hypothesis, these 
values assigned to the variables are the same in X and X' . (We use here that cr{v) is a 
proper subterm of t, which is correct because t begins with a function symbol from T.) 
Furthermore, since cr{v) begins with an external function symbol, its value is in Range(^). 
Thus, the assumption that (X, ^) and {X',(^) agree on W{t), which contains t, ensures that 
i has the same value in both X and X' . Therefore fx{ai, . . . , an) = /x'("i) • • • > "^n) ^ 
required. Since no queries are issued in this situation, we have completed the proof in the 
case that / G T. 

There remains the case that / G E and, as before, the subterms ti have (the same) 
values Oj in X and X'. If /[oi, . . . , a,j] G Dom(^) then t gets the same value ^(/[ai, . . . , a„]) 
in both X and X' , no queries are issued in either state, and the lemma is established in 
this case. 

So assume that the query /[ai, . . . , o„] is not in Dom(^). Then this query is the unique 
query produced by t in either state, and t has no value in either state, so again the conclusion 
of the lemma holds. □ 

The preceding lemma easily implies the corresponding result for guards. 

Lemma 4.5. For every guard (f there exists a finite set W{(p) of T-terms such that, when- 
ever (X,^) and {X',S^) agree on W{ip), then: 

• If e g then e ^x' 1- 

. Val((^,X,0 =Val(<^,X',0. 

Proof. We define W{ip) by induction on ip. If is a Boolean term, then the preceding 
lemma provides the required W{ip). 
If (/9 is (s ^ t) then we define 

W{s ^t) = W{s) U W{t) U {true, false}. 
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To check that the conclusion of the lemma is satisfied, we apply the previous lemma to see 
that, not only for the history ^ in question but also for any rj<S^, if either of Val(s, X, rj) and 
Val(,s, X', T]) is defined then so is the other, and similarly for t. With this information and 
with the knowledge that true and false denote the same element in X and X' (because 
of agreement on W{(p), which contains true and false), one finds by inspection of the 
relevant clauses in the semantics of guards that the conclusion of the lemma holds. 
If (/9 is ^0 ^ V'l or ijjQY ijji, then we set 

W{<f) = Wiipo) U Wiipi) U {true, false}. 

Finally, we set 

W{-^i)) = W{i)) U {true, false}. 
Again, inspection of the relevant clauses in the semantics of guards shows that the conclusion 
of the lemma holds. □ 

Finally, we prove the corresponding result for rules. 

Lemma 4.6. For every rule -R, there is a bounded exploration witness W{R). 

Proof. We define W{R) by recursion on R as follows. 
If R is an update rule /(ti, . . . , t^) '■= to, then 

n 

W{R) = [jw{U). 

If R is issue/(ti, . . . , t„), then 

n 

W{R) = \JW{U). 

i=l 

If i? is fail then W{R) is empty. 

If i? is a conditional rule if ip then Rq else Ri, then 

W{R) = W{ip) U W{Ro) U W{Ri) U {true, false}. 

If i? is a parallel combination do in parallel Ri, . . . , R^ then 

k 

W{R) = \J W{R,). 
1=1 

That W{R) serves as a bounded exploration witness for R is proved by induction on R. 
Every case of the inductive proof is trivial in view of the previous lemmas and the definition 
of the semantics of rules. □ 

5. Algorithms are Equivalent to ASMs 

In this section, we shall prove the Abstract State Machine Thesis for interactive, small- 
step algorithms. That is, we shall prove that every algorithm (as defined in [5l Section 3]) 
is equivalent (as defined in [5l Section 4]) to an ASM (as in Definition I3.20p . 

Throughout this section, we assume that we are given an interactive, small-step algo- 
rithm A. By definition, it has a set S of states, a set 2 of initial states, a finite vocabulary 
T, a finite set A of labels, causality relations hx, sets J-x of final histories, subsets J-^ and 
JF^ of successful and failing final histories, and update sets A+(X, ,^). Here and throughout 
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this section, X ranges over states and ^ over histories for X. Furthermore, A has, by the 
Bounded Work Postulate of [5] and its corollaries, a bound B for the number and lengths 
of the queries issued in any state under any attainable history, and it has a bounded ex- 
ploration witness W . Since W retains the property of being a bounded exploration witness 
if more T-terms are added to it, we may assume that W is closed under subterms and 
contains true, false, and some variable. 

To define an ASM equivalent to A, we must specify, according to Definition 13.201 

• its vocabulary, 

• its set of labels, 

• its external vocabulary, 

• its program, 

• its template assignment, 

• its set of states, and its set of initial states. 

5.1. Vocabulary, labels, states. Some of these specifications are obvious, because the 
definition of equivalence requires that the vocabulary, the labels, the states, and the initial 
states be the same for our ASM as they are for the given algorithm A. It remains to define 
the external vocabulary, the template assignment, and the program. 

Before proceeding, we note that Definition 13.201 requires S and Z to be closed under 
isomorphisms and requires S to be closed under the transitions of the ASM. The first of 
these requirements is satisfied by our choice of S and X because A satisfies the Isomorphism 
Postulate. That the second requirement is also satisfied will be clear once we verify that 
the update sets and therefore the transition functions of A and of our ASM agree (at least 
on successful final histories), for the Step Postulate ensures that S is closed under the 
transitions of A. 

5.2. External vocabulary and templates. To define the external vocabulary E and 
the template assignment for our ASM, we consider all templates, of length at most B, 
for the given set A of labels, in which the placeholders occur in order. (Recall that 
B is an upper bound on the lengths of queries issued by algorithm A in arbitrary states 
for arbitrary attainable histories.) These templates, which we call standard templates, can 
be equivalently described as the tuples obtained by taking any initial segment of the list 
7^1, 7^2, ... of placeholders and inserting elements of A into such a tuple, while keeping the 
total length of the tuple < B. We note that any potential query of length < B (over any 
state) is obtained from a unique standard template by substituting elements of the state 
for the placeholders. We define the external vocabulary E and the template assignment 
simultaneously by putting into E one function symbol / for each standard template and 
writing / for the standard template associated to /. Define an external function symbol / 
to be n-ary if / is a template for n-ary functions. 

Remark 5.1. For many algorithms, the external vocabulary defined here is larger than 
necessary; many symbols in E won't occur in the program 11. One can, of course, discard 
such superfluous symbols once 11 is defined. We chose the present definition of E in order 
to make it independent of the more complicated considerations involved in defining 11. □ 
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Remark 5.2. We have not specified — nor is there any need to specify — exactly what 
entities should serve as the external function symbols / associated to templates /. The 
simplest choice mathematically would be to take the function symbols to be the standard 
templates themselves, but even with this choice, which would make / = /, it would seem 
worthwhile to maintain the notational distinction between /, to be thought of as a function 
symbol, and /, to be thought of as a template. □ 



5.3. Critical elements, critical terms, agreement. The preceding discussion completes 
the easy part of the definition of our ASM; the hard part that remains is to define the 
program 11. Looking at the characterization in Lemma 4.3 of [5], we find that we have 
(trivially) satisfied the first requirement for the equivalence of our ASM and the given A 
(agreement as to states, initial states, vocabulary, and labels), and that we must construct 
n so as to satisfy the remaining three requirements (agreement as to queries issued, finality, 
success, failure, and updates). Notice that these three requirements refer only to histories 
that are attainable for both algorithms. This means that, in constructing n, we can safely 
ignore what A does with unattainable histories. 

As in the proofs of the ASM thesis for other classes of algorithms in [10^ [H [3] , we use 
the bounded exploration witness to gain enough control over the behavior of the algorithm 
A to match it with an ASM. The first step in this process is the following lemma, whose 
basic idea goes back to [10]. 

Definition 5.3. Let X be a state and ^ a history for it. An element a £ X is critical for 
X and if there is a term t £ W and there are values in Range(^) for the variables in t 
such that the resulting value for t is a. □ 

Lemma 5.4 (Critical Elements). Let X be a state, ^ a coherent history for it, and a an 
element of X. Assume that one of the following holds. 

• There is a query q such that ^ hx q and a is one of the components of the tuple q. 

• There is an update (/, . . . , bn), c) G A"'"(X, ^) such that a is one of the Ws or c. 
Then a is critical for X and ^. 

Proof. The proof is very similar to the one in [21 Propositions 5.23 and 5.24], so we shall 
be rather brief here. We may assume, as an induction hypothesis, that the lemma holds 
when ^ is replaced with any proper initial segment of ^. (This is legitimate because initial 
segments inherit coherence from ^.) Because ^ is coherent, every query in its domain is 
caused by some proper initial segment. So all components in X of such a query are critical 
for that initial segment and therefore also critical for ^. 

Assume that a is not critical for X and ^; we shall show that neither of the two 
hypotheses about a can hold. 

Form a new state X' , isomorphic to X, by replacing a by a new element a' . Since a 
is not critical, it is neither a component of a query in Dom(^) nor an element of Range(^). 
Thus ^ is a history for X' as well as for X. Using again the assumption that a is not critical, 
one finds that (X, ^) and {X\ ^) agree on W . As is a bounded exploration witness for ^, 
and as a is obviously neither a component of a query caused by ^ over X' nor a component 
in an update in A"''(X',^) (because a ^ X'), it follows that a is neither a component of a 
query caused by ^ over X nor a component in an update in A"'"(X, ^). □ 
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The construction of our ASM will be similar to that in [U Section 5], but some addi- 
tional work will be needed to take into account the timing information in histories and the 
possibility of incomplete but final histories. 

The role played by element tags (or e-tags) and query tags (or q-tags) in [1] will now 
be played by ASM-terms, i.e., variable- free terms over the vocabulary T U E. Some of 
these terms, those with outermost function-symbol in E, will, by Definition 13.31 obtain two 
kinds of possible values: the ordinary value which is an element of the state, and also a 
query-value, which is a potential query. 

Definition 5.5 (Critical Terms). Recall that an ASM-term is a closed term of the vocab- 
ulary T U E. 

• A critical term of level is a closed term in the bounded exploration witness W. 

• If ti , . . . , ifc are critical terms with maximal level n and / is a A;-ary function symbol 
in E, then /(ii, . . . ,tk) is a critical q-term of level n + 1. 

• lft(zW contains exactly the variables xi, . . . ,Xk and if ti, . . . , are critical q-terms 
with maximal level re, then the result of substituting tj for Xi in t, z — 1, . . . , A^, is a 
critical term of level re. 

• By a critical term we mean a critical term of some level. 

□ 

Because we arranged for W to contain a variable, the third clause of the definition 
implies that every critical q-term is a critical term (of the same level), so our terminology 
is consistent. 

Since W and the external vocabulary E are finite, there are only finitely many critical 
terms of any one level. 

Notice that, although they are obtained from the T-terms in W, our critical terms are 
ASM-terms. That is, they contain no variables, but they can contain external function 
symbols. 

The values of ASM-terms, including in particular critical terms, for a given state X 
and history ^, as well as the query- values of q-terms, were defined in Definition 13.31 

Recall also that, according to Lemma 13.61 term that has a value in state X with 
respect to an initial segment of will have the same value with respect to ^ itself, and 
that the same holds of query values. The next lemma records some related facts for future 
reference. Recall that two pairs (X,^) of a state and history are said to agree on W if the 
two histories are the same and every term in W gets the same values (if any) in both states 
when the variables are given values in the range of the history. 

Lemma 5.6 (Invariance of Values). 

• If i : X = Y is an isomorphism, ^ is a history for X, and z is any ASM-term, 
then i(Val(z, X, ^)) = Val{z,Y,i{^)). If z is a q-term, then also i(q-Val(z, X, ^)) = 
q-Val(z,y,i(0). 

• If {X,S^) and (1", agree on W, then Val{z, X,^) = Val(2;,y, ^) for all critical terms 
z, and q-Val(2;, X,S^) = q-Val(z, Y, for all critical q-terms z. 

Proof. The first assertion is proved by induction on terms, using the Isomorphism Postulate. 
The second is proved by induction on critical terms and critical q-terms, using the facts 
that all critical terms are, by definition, in the bounded exploration witness W and that 
the same history ^ is used on both sides of the claimed equations. □ 
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Remark 5.7. An approximation to the intuition behind critical terms is that critical terms 
of level n represent (for a state X and history ^) the elements of X and the queries that 
can play a role in the computation of our algorithm A during the first n rounds or phases 
of its interaction with the environment. This is based on the intuition that the bounded 
exploration witness W represents all the things the algorithm can do, with the environment's 
replies, to focus its attention on elements of X. At first, before receiving any information 
from the environment (indeed, before even issuing any queries), the algorithm can focus 
only on the values of closed terms from W , i.e., the values of critical terms of level 0. Using 
these, it can formulate and issue queries; these will be query- values of q-terms of level 1. 
Once some replies are received to those queries, the algorithm can focus on the values of 
non-closed terms from W with the replies as values for the variables. The replies are the 
values for the q-terms of level 1 that denote the issued queries, and so the elements to which 
the algorithm now pays attention are the values of critical terms of level < 1. Using them, 
it assembles and issues queries, query-values of q-terms of level < 2. The replies, used as 
values of the variables in terms from VF, give the new elements to which the algorithm can 
pay attention, and these are the values of critical terms of level < 2. The process continues 
similarly for later rounds of the interaction with the environment and correspondingly higher 
level terms. 

One should, however, be careful not to assume too much about the connection between 
levels of critical terms and rounds of interaction. It is possible for a critical term t of level 
1 to acquire a value only after many rounds of interaction, if, for example, the history 
happens to answer many other queries, one after the other, before finally getting to one 
that is needed for evaluating t. It is also possible for a critical term of high level to acquire 
a value earlier than its level would suggest. Consider, for example, a critical term of the 
form /(/(/(O))), where / is an external function symbol and is a constant symbol from 
T. If the history ^ contains just one reply, giving the query /[Ox] the value Ox, then this 
suffices to give /(/(/(O))) the value Ox- 

The following lemma formalizes the part of this intuitive explanation that we shall need 
later. □ 

Lemma 5.8 (Critical Terms Suffice). Let X be a state, ^ an attainable history for it, and 
n the length of ^. 

• Every query in Dom(^) is the query-value (for X and ^) of some critical q-term of 
level < n. 

• Every element of Range(^) is the value (for X and ^) of some critical q-term of level 
< n. 

• Every critical element for X and ^ is the value (for X and ^) of a critical term of 
level < n. 

• Every query in lssuedx(0 the query- value (for X and ^) of some critical q-term 
of level < n + 1. 

Proof. We proceed by induction on the length n of the history ^. As ^ is coherent, any query 
in its domain is issued by a proper initial segment rj<\^. So, by induction hypothesis (applied 
to the last clause), such a query is the query- value of a q-term of level < length(r/) + \ <n. 
This proves the first assertion of the lemma. 

The second follows, because, if a query in Dom(^) is the query- value of a q-term of level 
< n, then the reply given by ^ is the value of the same term. 
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For the third assertion, consider any critical element, say the value of a term t € W 
when the variables of t are given certain values in Range(^). By the second assertion already 
proved, these values of the variables are also the values of certain critical q-terms of level 

< n. Substituting these terms for the variables in t, we obtain a critical term of level < n 
whose value is the given critical element. 

For the final assertion, consider any query issued by ^. It has length at most B (by our 
choice of B), so it is obtained by substituting elements of X for the placeholders in some 
standard template. That is, it has the form f[ai, . . . , Uk] for some external function symbol 
/ and some elements ai £ X. By Lemma 15.41 each Oj is critical with respect to X and ^. 
By the third assertion already proved, each Oj is the value of some critical term of level 

< n. Then our query f[ai, . . . , flfc] is the query-value of the critical q-term /(ti, . . . ,1^) of 
level < n + 1. □ 

As indicated earlier, we can confine our attention to attainable histories. The lengths 
of these are bounded by and so we may, by the lemma just proved, confine our attention 
to critical terms of level at most B. In particular, only a finite set of critical terms will be 
under consideration. 

We have the following partial converse to the last statement of Invariance of Values 
Lemma 15.61 We abbreviate the phrase "pair consisting of a state and an attainable history 
for it" as "attainable pair." 

Lemma 5.9 (Agreement). Let (X, ^), {YjO be attainable pairs with ^ of length n. If they 
agree as to the values of all critical terms of level < n, then they agree on W . 

Proof. Note that in the assumption we didn't mention agreement as to query- values. But 
(X, ^) and (y, ^) will agree as to query-values of critical q-terms of level n as soon as they 
agree as to the values of critical terms of levels < n. 

Let t € W. We need to prove that it takes the same value in (X, ^) and (1^,0 when 
all variables in t are given values in Range(^). But values in Range(^) are, by the Critical 
Terms Suffice Lemma 15. 8|, the values of some critical q-terms of level < n. Substituting 
these terms for the variables in t gives us, by definition, a critical term of level < n, where 
by assumption (X, ^) and agree. □ 



5.4. Descriptions, similarity. The following definitions are intended to capture all the 
information about a state and history that can be relevant to the execution of our algorithm 
A. That they succeed will be the content of the subsequent discussion and lemmas. 

Definition 5.10. Let {X,^) be an attainable pair. Let n be the length of ^. (Recall that 
n is finite and in fact < B.) Define the truncation of to be the initial segment of ^ 
of length n — 1 (undefined if n = 0). The description 5{X,S^) of X and ^ is the Kleene 
conjunction of the following guards: 

• all equations s = t and negated equations -i(s = t) that have value true in (X, ^), 
where s and t are critical terms of level < n, and 

• all timing inequalities (u -< v) and {u ^ v) that have value true in (X,^), where 
u and V are critical q-terms of level < n, and where q-Val{v,X,^) exists and is in 
Issuedx(C~)- 

□ 
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Some comments may help to clarify the last clause here, about timing inequalities. 
First, recall that the strict inequality {u -< v) is merely an abbreviation of ^{v ■< u). 

Second, although we explicitly require only v to have a query- value in Issued^ (^— ), 
the same requirement for u is included in the requirement that {u ■< v) or (u -< v) is true. 
Indeed, inspection of the definition of the semantics of timing guards (in Definition 13. 7p 
shows that the q-term u must have a value, and this is possible only if u has a query-value 
in Dom(^). Since ^ is coherent, it follows that q-Val(u,X, ^) must be in Issuedx(C~)- 

Third, if n = then ^— is undefined, and as a result 6{X,^) contains no timing 
inequalities. 

Our definition of the description of X and ^ is not complete on the syntactic level, for 
it does not specify the order or parenthesization of the conjuncts in the Kleene conjunction. 
That is, it is complete only up to associativity and commutativity of X. The reader is 
invited to supply any desired syntactic precision; it will never be used. The choice of order 
and parenthesization of conjuncts makes no semantic difference; the Kleene conjunction and 
disjunction are commutative and associative as far as truth values and issued queries are 
concerned. 

We shall sometimes refer to descriptions of attainable pairs as attainable descriptions, 
even though "attainable" is redundant here because the descriptions have been defined only 
for attainable pairs. 

The following lemma and its corollary provide useful information about the q-terms 
occurring in a description. 

Lemma 5.11. Let {X, ^) be an attainable pair, n > 1 the length of and v a q-term. The 
following are equivalent. 

(1) V occurs in 5{X,Q. 

(2) V occurs as one side of a timing inequality in 6{X,^). 

(3) u is a critical q-term of level < n and it has a query-value q-Val(i; , X, ^— ) that is in 
Issuedx(C— )• 

Proof. Since the implication from (2) to (1) is trivial, we prove that (3) implies (2) and that 
(1) implies (3). 

Suppose first that (3) holds. Let q be any query in the last equivalence class of the 
preorder in ^. As ^ is attainable, q G Issuedx(C~)- Also, by LemmaEBl q = q-Val(u, X, 
for some critical q-term u of level < n. Because q is in the last equivalence class with respect 
to ^, Val(ti, X, ^) exists but Val(u,X, ^— ) does not. Now if q-Val(u, X, ^— ), which is also 
q-Val(f , X, ^), is in Dom(^), then Val(w,X, ^) exists and so ^) contains the conjunct 
{v :< u). Otherwise, Val(f , X, ^) does not exist, and so S{X, ^) contains the conjunct (u ~< v). 
In either case, (2) holds. 

Finally, we assume (1) and deduce (3). Inspection of the definition of descriptions 
reveals that any q-term v that occurs in 5{X, ^) must be a sub-q-term either of some 
critical term of level < n that has a value with respect to {X, ^) or of some critical q-term 
of level < n that either has a value with respect to {X, ^) or at least has a query- value that 
is issued with respect to (X, ^— ). In any case it follows, thanks to the attainability (and in 
particular the coherence) of ^, that (3) holds. □ 

Corollary 5.12. The q-terms that occur in the description of an attainable pair {X,^) 
depend only on X and ^— , not on the last equivalence class in the preorder of Dom(^). 

Proof. Immediate from the third of the equivalent statements in the lemma. □ 
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Clearly, 5{X,S^) is a guard, and Val(5(X, ^), X, ^) = true. The next lemma shows that 
descriptions are invariant under two important equivalence relations on attainable pairs 

Lemma 5.13 (Invariance of Descriptions). Let (X,^) be an attainable pair. 

• If (y, ^) is an attainable pair (with the same ^) agreeing with (X, on W, then 
they have the same descriptions. 

• If {Y, rj) is an attainable pair isomorphic to [X, ^), then they have the same descrip- 
tions. 

Proof. To see that the first statement is true, use the second clause of Invariance of Values 
Lemma [5. 61 to establish that the same critical terms occur in 5{X, ^) and 5{Y, ^) in the same 
roles. To see that the second statement is true, use the first clause of the same lemma. □ 

Thus, each of agreement and isomorphism is a sufficient condition for similarity in the 
sense of the following definition. We shall see later, in Corollarv 15.161 that the composition 
of agreement and isomorphism is not only sufficient but also necessary for similarity. 

Definition 5.14. Two attainable pairs are similar if they have the same descriptions. □ 

The next lemma describes the other states and histories in which 6{X,^) is true, and 
thus leads to a characterization of similar attainable pairs. 

Lemma 5.15. Let {X,£^) and (y, r/) be attainable pairs. Suppose 5{X,^) has value true 
in (y, rf) . Then 

• the length of r] is at least the length of ^; 

• there is an attainable pair {Z,r]') isomorphic to (X, ^), such that rj' is an initial 
segment of rj and {Z, rj') agrees with (Y, rj') on W. 

In other words, any (Y, rj) that satisfies the description of {X, ^) can be obtained from 
{X, ^) by the following three-step process. First, replace {X, ^) by an isomorphic copy 
{Z,rj'). Second, leaving the history rj' unchanged, replace Z by a new state Y but maintain 
agreement on the bounded exploration witness W. Third, extend the history rj' by adding 
new items strictly after the ones in rj', so that rj' is an initial segment of the resulting rj. 

Notice that, by virtue of the isomorphism of {X, ^) and {Z, rj'), we can describe rj' more 
specifically as the initial segment of rj of the same length as 

Proof. We proceed by induction on the length n of the history ^. 

Length: rj is not shorter than ^. Choose one query from each of the n equivalence 
classes in Dom(^), say qj from the j'*^ equivalence class. Letting £^ \ j denote the initial 
segment of ^ of length j, and applying Lemma 15.81 we express each qj as the query- value, 
with respect to (X, ^ [" j), of some critical q-term Uj of level < j. Thus, Uj has a value £,{qj) 
with respect to ^ ["j but not with respect to ^ \{j — 1). Thus, 5{X,Q includes the conjuncts 
{uj -< Uj+i) for j = 1, 2, . . . , n — 1 and also the conjunct Un = Un- So these conjuncts must 
also be true in {Y,rj), which means that rj has length at least n. 

Construction of {Z,rj'). Our next step will be to define a certain isomorphic copy {Z,rj') 
of (X, ^). Afterward, we shall verify that rj' has the other properties required. 

We may assume, by replacing {X, ^) with an isomorphic copy if necessary, that X is 
disjoint from Y. Next, obtain an isomorphic copy Z of X as follows. For each critical term 
t of level < n, if Val(t, X, ^) exists, then remove this element from X and put in its place 
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the element Val{t, Y, rj) of Y. To see that this makes sense, we must observe two things. 
First, the equation t = t is one of the conjuncts in 6{X,S^) and is therefore true for Y and rj. 
Thus, the replacement element Val(t, Y, t]) exists. Second, if the same element of X is also 
Val(i', X, ^) for another critical term t' of level < n, then the equation t' = t is a conjunct 
in 6(X,^) and is therefore true for Y and rj. Thus, Yal(t' ,Y,ri)=\al{t,Y,ri), which means 
that the replacement element is uniquely defined. 

Let i be the obvious isomorphism from X to Z, sending each of the replaced elements 
Val(i, X, ^) to its replacement Val(t, Y, rj) and sending all the other elements of X to them- 
selves. Let 77' = this is the history for Z obtained by applying i to all components from 
X in the queries in Dom(^) and to all the replies in Range(^). Because of the isomorphism, 
it is clear that {Z,r]') is, like (X,^), an attainable pair and that rj' has the same length n 
as ^. 

Values: rj' is a subfunction of 1). Consider any query q = f[ai, . . . , a^] G Dom(^) and its 
reply b = £,{q)- Thus, i{q) € Dom(i(,^)), and i{(,){i{q)) = i{b). Furthermore, every element 
of Dom(i(^)) is i{q) for some such q. By Lemma [5. 8 1 all the aj are values in {X, ^) of certain 
critical terms tj of level < n, and so b is the value of the critical term f{ti, . . . ,tk) of level 
< n. In forming Z, we replaced the elements aj by the values i{aj) of the tj's in (Y, rj), and 
we replaced b by i{b), the value in (Y, rj) of /(ti, . . . , tfc). But this last value is, by definition, 
the result of applying r) to the query that is the query-value of /(ti, . . . ,ifc), namely the 
query f[i{ai), . . . ,i{ak)] = i{q)- That is, i{b) = rj{i{q)). This shows that, whenever i(^) 
maps a query i{q) to a reply i{b), then so does rj; in other words, fj' is a subfunction of rj. 

Order: <,^,' is a sub-preorder of We next show that the preordering of rj' agrees 
with that of i]. Consider an arbitrary q G Dom(^), and suppose it is in the j^^ equivalence 
class with respect to the preorder given by So, as ^ is coherent, q G Issuedx(^ \{j — 
and so, by the last part of Lemma 15.81 we have a critical q-term u of level < j such 
that q = q-Val(u, X, ^ \{j — 1)). Note that Val(n, X, ^ \{j — 1)) does not exist, because 
q i Dom(e r(j - 1)). 

We wish to apply the induction hypothesis to (X, ^ f(j — 1)). To do so, we observe that 
(5(X, ^ — 1)) is a sub conjunction of b{X^^ and is therefore true in (1^,??). So we can 
apply the induction hypothesis and find that (X, ^ ["(j — 1)) is isomorphic to an attainable 
pair that agrees with (y, t(j — 1)). By Lemma 15.61 u has a query-value but no value in 
(y, ["(j — 1)). Inspection of the definitions shows that its query-value is 

If 2 < n, i.e., if g G Dom(^— ), then we can also apply the induction hypothesis to 
{X, ^ \ j), in which u has a value. We conclude that u has a value in (Y, rj \ j). Since it had 
a query-value but no value in {Y,rj \{j — 1)), we conclude that its query-value, i{q) must be 
in exactly the j^^ equivalence class with respect to rj. 

If, on the other hand, j = n, i.e., if q is in the last equivalence class with respect to ^, 
then this last application of the induction hypothesis is not available. Nevertheless, since 
q G Dom(^), we know that u has a value in (X,^), so (5(X, ^) contains the conjunct u = u, 
so this conjunct is true also in {Y,rj), and so u has a value in {Y,rj). This means that i{q), 
the query- value of n, is in Dom(?7). We saw earlier that it is not in Dom(?7 \{j — 1)), where 
now j = n. So i{q) is in the n*^ equivalence class or later with respect to rj. 

What we have proved so far suffices to establish that if q <g q' then i{q) <^ i{q') and 
that the same holds for non-strict inequalities except in the case that both q and q' are in 
the last equivalence class with respect to ^. In this exceptional case, we know that i{q) is 
the query-value, already existing in (Y,rj \{n — 1)), of u (as above), yet u has no value in 
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{Y,r] \{n — 1)). This means that the smahest m for which \al{u,Y,r] \m) exists is the m 
such that i{q) is in the m**^ equivalence class with respect to rj. Repeating the argument 
with an analogously defined q-term u' for q', and using the fact that 6{X,^) contains the 
conjuncts (u ^ u') and {u' ^ u), which means that these conjuncts are also true in {Y,r]), 
we find that i{q) and i{q') are in the same equivalence class with respect to rj. 

This completes the proof that rj' — including both the answer function and the pre- 
order — is the restriction of rj to some subset of its domain. In fact, we have shown more, 
namely that, for j < n, i maps the j'*^ equivalence class with respect to ^ into the j'*^ 
equivalence class with respect to t], and that it maps the last (n*^) equivalence class with 
respect to ^ into a single equivalence class — possibly the n**^ and possibly later — with 
repect to tj. 

The next step is to show that rj' = z(^) is an initial segment of r]. This will imply that, 
in the preceding summary of what was already proved, both occurrences of "into" can be 
improved to "onto" and "possibly the n^^ and possibly later" can be improved to "the n^^" . 

Initial segment: rj' is an initial segment of rj. Suppose, toward a contradiction, 
that Dom(?i') is not an initial segment of Dom(?7) (with respect to <^). So there exist 
some q € Dom(?)) — Dom(?7') and some q' G Dom(,^) (and thus i{q') € Dom(?7')) such that 
q <r; Kq')- Among all such pairs q,q', fix one for which q occurs as early as possible in 
the preorder <^. Since q' G Dom(,^), we can fix a critical q-term u' of level < n with 
q-Val(u', X, ^) = q' and thus, by definition of i, q-Yal{u', Y, tj) = i{q'). We record for future 
reference that, since q-Yal{u' , X , ^) £ Dom(^), u' has a value with respect to ^. 

Consider the initial segment of rj up to but not including q. By what we have already 
proved (and our choice of q as the earliest possible), it is for some proper initial segment 
of ^ — proper because it doesn't contain q'. In particular, (" has length at most n — 1, 
and so we know, by induction hypothesis, that the lemma is true with ( in place of (As 
before, the lemma can be applied because 6{XX) is a subconjunction of 6{X,S^), which is 
true in (Y,r}).) So we conclude that {X,() is isomorphic to an attainable pair that agrees 
on W with {Y,i{C))- 

Since z(C) is the initial segment of rj ending just before q, and since r/ is a coherent 
history, we know that q E Issuedy (i((^)). By the Critical Terms Suffice Lemma 15.81 Q is the 
query-value in {Y,i{(^)), and therefore also in {Y,r]), of some critical q-term u of level < n. 
Thanks to the isomorphism between (XX) and an attainable pair agreeing with (Y,i{Q), 
we have that u also has a query- value, say q" , in {XX) and this value is in Issuedjjf (C) 
and, a fortiori, in lssuedx(0- definition of i, i{q") = q- As q was chosen outside 
Dom(i(^)) = i(Dom(,^)), it follows that q" ^ Dom(^). From this and q' E Dom(,^), we 
conclude that {u' -< u) is one of the conjuncts in 6{X,^) and is therefore true in {Y^rf). 
Since u has a value in the initial segment of 77 up to and including q (one equivalence class 
beyond i{C,)), we infer that u' must have a value in (Y^i{C,)). That means that the query- 
value of u\ namely i{q') must be in the domain of z(C), i-e., i{q') <ri q- This contradicts the 
original choice of q and q' , and this contradiction completes the proof that r/' is an initial 
segment of ??. 

Agreement: {Z,r]') and {Y,7]') agree on W. It remains to prove that the attainable 
pairs {Z,rj') and (Y,r]') agree on W. We prove this in three steps. 
First, we show that, if z is any critical term of level < n, then 

i(Val(z,X,C)) =Val(z,y,r?'). 
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This is almost the definition of i, which says that i(Val(z, X, ^)) = \al{z,Y,ri). Our task 
is to replace t] on the right side of this equation with t]'. That is, we must show that, if 
Yal{z,X,^) exists (and therefore Val{z,Y,r]) exists), then Val(z,Y,r]') exists, because then 
we shall have Val{z,Y,rj') = Yal{z,Y,rj) by the monotonicity of values. We proceed by 
induction on the level of z. The only non-trivial case, i.e., the only case where changing r] 
to ?/ could matter, is the case that z is a q-term. The possibility that we must exclude is 
that q-Val(2;, Y, rj) (which is also q-Val(2;, Y, i]') as the induction hypothesis applies to the 
arguments of z) is in the domain of 7] but not in the domain of rj' . But q-Val(2;, X, ^) exists 
and is in the domain of ^ (because Val(2;, X, ^) exists), and its image under i is, by definition 
of 2, q-Val(z, Y, rj). So this image is in the domain of i(^) = rj' , as desired. 

Second, we observe that, since i is an isomorphism from X to Z and sends ^ to 77', 
we have i(Val{z, X,^)) = Yal{z, Z,r]'). Combining this with the result established in the 
preceding paragraph, we have 

Val(z,Z,r?') = Val(z, y, r/') 

for all critical terms z of level < n. 

Finally, an application of the Agreement Lemma 15.91 completes the proof that {Z,r]') 
and (y, rj') agree on W. □ 

Corollary 5.16 (Factorization). Let {X,S^) and {Y,ri) be similar attainable pairs. Then 
there is a state Z such that rj is an attainable history for Z, {Z, rj) agrees with (y, rj) on W , 
and {Z^rf) is isomorphic to (X, ^). 

Proof. We can apply Lemma 15.151 to (X, ^) and (y, rj) in either order, since each satisfies 
the other's description. Thus ^ and have the same length, and the rj' of the lemma is 
simply rj. The rest of the corollary is contained in the lemma. □ 

Corollary 5.17 (Similarity Suffices). Let {X,^) and (y, ?]) be similar attainable pairs. Let 
n be the length of ^ (and of ry, by Corollarv l5.16p . Then 

• If ti is a q-term of level <n+l and ^ hx q-Val(ti, X, ^) then i] hy q-Val(u, y, rj). 

• If ^ is in or then 77 is in Ty or .Fy, respectively. 

• If A"'"(X, Q contains an update (/, (ai, . . . , ak),aQ) where each Oj is Val(tj, X, ^) for 
a critical term ti of level < n, then A+(y, rj) contains the update (/, {a'^, . . . , a'^), Oq) 
where each a'- is Val(tj, y, r/). 

Proof. Apply the preceding corollary to get Z such that {Z, r]) agrees with (Y, rj) on W and 
is isomorphic to {X,£j). Because of the agreement on the bounded exploration witness W, 
we have all the desired conclusions with {Z,rj) in place of {X,^). To complete the proof, 
we can replace {Z,r]) with (X,^), thanks to the Isomorphism Postulate and the fact that 
isomorphisms respect evaluation of terms. □ 

We shall also need the notion of a successor of an attainable description. This corre- 
sponds to adjoining one new equivalence class at the end of a history, while leaving the state 
unchanged. That is, 6{X,^) is a successor of 5(X, ^— ), and 6{X,^—) is the predecessor of 
6iX,0. 

Remark 5.18. To avoid possible confusion, we emphasize that a successor of 6{X,r]) need 
not be of the form d{X,S^) with ^— = rj. It could instead be of the form 6{Y,^) for some 
other pair (y, ^) such that (y, ^— ) is similar to {X,r]), and there might be no way to 
extend rj so as to obtain similarity with {Y,^^). For a simple example, suppose the bounded 
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exploration witness W contains only true, false, undef, and a variable. Let X be a 
structure containing only the three elements that are the values of true, false, and undef, 
and let Y be like X but with one additional element a. Suppose further that the algorithm is 
such that a single query q, say (true), is caused by the empty history in every state. Then 
{X, 0) and {Y, 0) agree on W, and Y admits an attainable history with Dom(^) = {q} and 
with ^(q) = a. Then, since = 0, we have that 6{Y, ^) is a successor of 5(Y, 0) = 6{X, 0). 
But there is no history ( for X such that (5(1",^) = 6{XX)', such a C would have to map q 
to a value distinct from true, false, and undef, and X has no such element. □ 

The use of the definite article in "the predecessor" is justified by the following observa- 
tion, showing that 6{X,^—) is completely determined by 5{X,^). Thus, "predecessor" is a 
well-defined operation on attainable descriptions of non-zero length. Of course the situation 
is quite different for successors; one description can have many successors because there are 
in general many ways to extend an attainable history by appending one more equivalence 
class. 

Corollary 5.19. Let (X,^) and {Y, rj) be similar attainable pairs, and assume the (common) 
length of ^ and i] is not zero. Then 5{X,£^—) = 6{Y,r]—). 

Proof. By Corollarv l5.16l we have an isomorphism i : {X,S^) = {Z,r]) such that {Z,r]) agrees 
with (y, rj) on W. Since the isomorphism i must, in particular, respect the pre-orderings, 
it follows immediately that i is also an isomorphism from (X, ^— ) to {Z,rj—). Prom the 
definition of agreement, it follows immediately that {Z,r]—) and {Y,r]—) agree on W. Thus, 
by Lemma 15.131 (X, ^— ) and (Y,ri—) are similar. □ 

The following information about successors will be useful when we verify that the ASM 
that we produce is equivalent to the given algorithm A. 

Lemma 5.20. Suppose {X,S^) is an attainable pair and S' is an attainable description that 
is a successor of 5{X,S^). Then S' = 6(Y,rj) for some attainable pair (Y,ri) such that 

• {X,S,) and (y, agree on W. 

Proof. By definition of successor, we have an attainable pair {Z, 9) such that 5' = 6{Z, 6) 
and (5(X, ^) = 5{Z,9—). This last equality implies, by Corollary 15.161 that (X, ^) and (1", ^ 
agree on W for some attainable pair (Y,^) isomorphic to {Z,6—). Use the isomorphism to 
transport 9 to an attainable history rj for Y. Then 6' = 5{Z,9) = 5{Y,r]) because of the 
isomorphism, and rj— is the image, under the isomorphism, of 9—, i.e., r]— = ^. □ 

5.5. The ASM program. We are now ready to describe the ASM program that will 
simulate our given algorithm A. Its structure will be a nested alternation of conditionals and 
parallel combinations, with updates, issue rules, and fail as the innermost constituents. 
The guards of the conditional subrules will be attainable descriptions. Recall that the 
critical terms involved in attainable descriptions all have levels < B, and there are only 
finitely many such terms and therefore only finitely many attainable descriptions. An 
attainable description 6{X, ^) will be said to have depth equal to the length of ^. LemmaETS] 
ensures that this depth depends only on the description 5{X,S^), not on the particular 
attainable pair {X, S^) from which it is obtained. Notice that the definition of descriptions 
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immediately implies that any critical term occurring in a description has level < the depth 
of the description. 

We construct the program 11 for an ASM equivalent to the given algorithm A as follows, 
n is a parallel combination, with one component for each attainable description 6 of depth 
zero. We describe the component associated to 6 under the assumption that 6 is not final, 
by which we mean that, in the attainable pairs {X, ^) with description 6, the history ^ is not 
final; we shall return later to the final case. (Recall that, by Corollarv l5.17l whether ^ is final 
in X depends only on the description 6{X,^), so our case distinction here is unambiguous.) 

The component associated to a non-final 6 is a conditional rule of the form if 6 then Rg, 
i.e., a conditional whose guard is 6 itself. The body Rg is a parallel combination, with one 
component for each successor 6' of 6. 

When 6' is not final, the associated component is a conditional rule if 6' then Rg' . The 
body Rgi here is a parallel combination, with one component for each successor S" of 6' . 

Continue in this manner until a final description e is reached. Since the depth increases 
by one when we pass from a description to a successor, and since all attainable histories 
have length (i.e., the depth of their descriptions) at most B, we will have reached final 
descriptions after at most B iterations of the procedure. The component associated to a 
final description e = 6{X,S^) is if e then i?e endif, where R^ is the parallel combination 
of the following: 

• fail if ^ G J^^, 

• issue n if fi is a q-term of level at most one more than the length of ^ (that is, the 
depth of e) and ^ hx q-Val(M, X, ^), and 

• f{ti, . . . , tfc) := to if the ti are critical terms of level at most the length of and they 
have values ai = Val(tj,X, ^) such that (/, (ai, . . . ,afc),ao) G ^"^(^jO- 

It is important to note that, although the attainable pair {X, ^) was used in the specification 
of these components, they actually depend only on the description e, by Corollary 15. 171 This 
completes the definition of the program IT. 

Remark 5.21. As in previous work on the ASM thesis, this program IT is designed specif- 
ically for the proof of the thesis. That is, it works in complete generality and it admits a 
fairly simple, uniform construction. For practical programming of specific algorithms, there 
will normally be ASM programs far simpler than the one produced by our general method. 

5.6. Equivalence. It remains to show that the ASM defined by 11 is equivalent to the given 
algorithm A. For brevity, we sometimes refer to this ASM as simply 11. 

Theorem 5.22. The ASM defined by U together with S, I, T , A, E, and the template 
assignment of suhsection \5.^ is equivalent to algorithm A. 

Proof. Referring to Lemma 4.3 of [3, we see that it suffices to show the following, for every 
pair {X, ^) that is attainable for both the algorithm A and our ASM. 

(1) lssuedx(0 is the same for our ASM as for A. 

(2) If ^ is in or with respect to one of A and our ASM, then the same is true 
with respect to the other. 

(3) If ^ G J-'^, then A"^(X, ^) is the same with respect to our ASM and with respect to 
A. 
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Consider, therefore, an attainable pair (X,^) (with respect to A) and the behavior of 
our ASM in this pair. 

Let n be the length of ^, and for each m < n let ^ |~ m be the initial segment of ^ of 
length m. According to Lemma [5. 15 1 the only attainable descriptions satisfied by {X, ^) are 
those of the form S{X, ^ \ m), one of each depth m <n. 

Issuing Queries. 

We begin by analyzing the queries issued by our ASM in state X with history ^. (Parts 
of this analysis will be useful again later, when we analyze finality, success, failure, and 
updates.) For readability, our analysis will be phrased in terms of the ASM performing 
various actions, such as issuing queries or passing control to a branch of a conditional rule. 
Of course, this could be rewritten more formally in terms of the detailed semantics of ASMs, 
but the formalization seems to entail more costs, both for the reader and for the authors, 
than benefits. 

The ASM acting in state X with history ^ begins, since 11 is a parallel combination, by 
executing all the components associated with attainable descriptions of depth 0. Recall that 
these components are conditional rules whose guards are the descriptions themselves. These 
descriptions contain only critical terms of depth 0, so there are no external function symbols 
here. Therefore, no queries result from the evaluation of the guards. By Lemma 15.151 the 
ASM finds exactly one of the guards to be true, namely 5{X,£^ fO), and it proceeds to 
execute the body Rs{x,^ \o) of this conditional rule. 

Let us suppose, temporarily, that n > 0, so, as ^ is attainable, 1 is not final. (We shall 
return to the other case later.) So Rs{x,£, \o) is a parallel combination, and our ASM proceeds 
to execute its components. These are conditionals, whose guards 6' are the successors of 
S{X,(^ \0). So these guards are 5{Y,r]) for attainable pairs {Y,rj) as in Lemma 15.201 In 
particular, rj has length 1 and r]— = S^\0. (This last equation is redundant as both sides 
are histories of length 0, but we include it to match what will occur in later parts of our 
analysis.) Inspection of the definition of descriptions shows that every query issued during 
the evaluation of such a guard is also issued by the algorithm A operating in the attainable 
pair (y, r]—) = (y, ^ f 0). Since {Y, ^ \ 0) agrees with {X, ^ f 0) on W, these are queries issued 
by^in (X,aO). 

The converse also holds. If a query q is issued by A in (X, ^ fO), then there is an 
attainable history rj for X in which q is in the first and only equivalence class of Dom(77); 
simply define rj to give q an arbitrary reply and to do nothing more. By Lemma [5. 81 q is the 
query-value of some q-term u of level 1, and therefore S{X, rf) contains the conjunct u = u. 
Thus, in evaluating the guard (^(X, r/), our ASM will issue q. 

Having evaluated the guards of depth 1, our ASM finds, according to Lemma [5.15( that 
exactly one of them is true, namely S{X^ ^ \ 1), so it proceeds to evaluate the corresponding 
body Rs(x.^\i)- Let us suppose, temporarily, that n > 1, so, as ^ is attainable, ^ f 1 is 
not final. So Rs{x,(, \i) is ^ parallel combination, and our ASM proceeds to execute its 
components. These are conditionals, whose guards 5' are the successors of (5(X, ^ fl). So 
these guards are S(Y,r]) for attainable pairs {Y,rj) as in Lemma 15.201 In particular, rj has 
length 2 and r]— = ^ f 1. Inspection of the definition of descriptions shows that every query 
issued during the evaluation of such a guard is also issued by the algorithm A operating in 
the attainable pair {Y,r]—) = {Y,(, Since (F, ^ f 1) agrees with {X,^ \1) on W, these 
are queries issued by A in {X, ^ f 1). 
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The converse also holds. If a query q is issued by A in (X, ^ fl), but not already in 
(X, ^ fO), then there is an attainable history rj for X, which has f 1 as an initial segment, 
and in which q is in the second and last equivalence class of Dom(7)); simply define r/ by 
extending ^ [" 1 to give q an arbitrary reply, in a new, second equivalence class, and to do 
nothing more. By Lemma 15.81 q is the query- value of some critical term u of level 2, and 
therefore 5{X,r]) contains the conjunct u = u. Thus, in evaluating the guard S{X,7]), our 
ASM will issue q. 

The reader should, at this point, experience deja vu, since the argument we have just 
given concerning the behavior of our ASM while executing Rs{x,£, \i) is exactly parallel to 
the previous argument concerning Rs(^x,^\o)- The same pattern continues as long as the 
depths of the guards are < n so that we have not arrived at a final history. 

Consider now what happens when the ASM evaluates Rs(^x,^\n) = R5(x,()- If the 
history ^ is not final, then the same argument as before shows that the ASM will issue, 
while evaluating the guards of the components of Rs(^x,^) i the same queries as the original 
algorithm A. Furthermore, the ASM will find none of the guards here to be true, for these 
guards are descriptions of depth n + 1 and can, by Lemma 15. 15^ be satisfied only with 
histories of length at least n + 1. So the execution of the ASM produces no additional 
queries beyond those that we have already shown to agree with those produced by A. 

There remains the situation that ^ is final for A and X. In this case, the components of 
'ii's no longer conditional rules, the evaluation of whose guards causes the appropriate 
queries to be issued by the ASM. Rather, the components are issue rules, updates, or fail. 
Only the issue rules here will result in new queries; the queries involved in evaluating the 
terms in update rules and in the issue rules have already been issued during the evaluation 
of guards. And the issue rules are chosen precisely to issue the queries that A would issue 
in {X,0- 

This completes the proof that our ASM and A agree as to issuing queries. They therefore 
agree as to which histories are coherent. 

Finality, Success, and Failure. We next consider which histories are declared final by 
our ASM. Suppose first that is final for A in X. Then, as the preceding analysis of the 
ASM's behavior shows, the ASM will, after evaluating a lot of guards, find itself executing 
R5{x,^)i which is a parallel combination of issue rules, update rules, or fail. The subterms 
of any update rules here will already have been evaluated during the evaluation of the 
guards, so ^ is final for these update rules. The same goes for the issue rules; their subterms 
have already been evaluated, and so ^ is final. Any history is final for fail. Thus is final 
for all the components of Rs(^x,^) ctnd is therefore final for Rs(^x,£,) itself. From the definition 
of the semantics of parallel combinations and conditional rules, it follows that ^ is also final 
for n, as required. 

Now suppose that is (attainable but) not final for A in state X. There will be some 
queries that have been issued by A but not answered, i.e., that are in Issuedx(C)~I^o™(C) = 
Pending;5c(^), for otherwise ^ would be complete and attainable and therefore, by the Step 
Postulate, final. So our ASM will issue some queries whose answers are needed for the 
evaluation of the guards of some components of Rs(^x,^)i but whose answers are not in S^. 
Therefore, is not a final history for the ASM in state X. This completes the proof that 
our ASM agrees with A as to finality of histories. 

We check next that a final history ^ succeeds or fails for our ASM according to whether 
it succeeds or fails for A. It fails for our ASM if and only if, after evaluating all the guards 



INTERACTIVE SMALL-STEP ALGORITHMS II 



35 



and while executing Rs(^x,^): it encounters either fail or clashing updates (see the definition 
of failure for parallel combinations). By definition of our ASM, it encounters fail if and 
only if A fails in (X,^^). Furthermore, it will not encounter clashing updates unless A fails, 
because, as we shall see below, it encounters exactly the updates produced by A, and these 
cannot, by the Step Postulate, clash unless A fails. 

Updates. To complete the proof, we have to check what updates our ASM encounters. 
Our construction of 11 is such that update rules are encountered only in the subrules 
for final histories Furthermore, these update subrules are chosen to match the updates 
performed by A. So our ASM and A produce the same updates in any final history. 

This completes the verification that our ASM is equivalent to the given algorithm A. □ 



6. Concluding Remarks 

Theorem 15.221 establishes the ASM thesis for small-step, interactive algorithms, as de- 
fined by the postulates of [5]. This completes the program of proving the ASM thesis in the 
small-step case. The case of parallel algorithms, without intrastep interaction, was treated 
in [1], but the task of combining intrastep interaction with parallelism remains for future 
work. Beyond that, there is the task of treating distributed algorithms. 

The ASM syntax and semantics presented in Sections [2] and [3] serve to describe just what 
has to be added to the traditional ASM syntax and semantics of [9] in order to accommodate 
non-ordinary interaction. Essentially, one needs timing guards and the Kleene connectives. 
It remains to be seen whether these additions will also suffice to model all interactive parallel 
algorithms. 
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